Hello participants of Mailing List. In my post Vulnerabilities at PCI DSS sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007344.html) I wrote in particular about funky security logos at vulnerable e-commerce sites (such as EPS), which aren't PCI DSS certified, but which need to be certified. Which we discussed a lot in the list during December-January. I asked partly rhetorical question concerning it - "Does the company, owner of EPS, is deceiving people by not having PCI DSS and putting "funky" Verified by VISA and MasterCard SecureCode logos?" and answered on it - "It looks like so". And in my letter to Christian (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-January/007390.html) I said, that I'd write more about it later. So here we go :-). At beginning of January I wrote article Real security of web sites with security logos (http://websecurity.com.ua/4811/). To make a short retelling of it I'll note, that this article about above-mentioned issue with security logos at e-commerce sites (such as EPS), which have holes or don't PCI DSS certified or have both holes and no PCI DSS certificate. And such sites use security logos to hide under them and to deceive people (to make them feel that their sites are safe, while they are not, and so users of the sites also are not safe). For security logotypes, which are used to hide under them and to ignore security of their sites (and to create false sense of security for visitors and users of such sites), belong such logos as Verified by VISA, MasterCard SecureCode and SSL logos. Like it's clear from examples which I provided in my article, there are such e-commerce and EPS sites, which are putting such logotypes to them and don't caring about security at all (which is clear from those multiple holes which I found at these web sites). Like the LiqPAY system (EPS/processing system), mentioned in my article, which must be PCI DSS certified, but is working for two years without certificate (and with multiple holes), and putting Verified by VISA, MasterCard SecureCode and SSL logo. And by putting these logos to every page and at "security" page the system is telling (i.e. deceive people) about its high level of security - with holes at site and lack of PCI DSS. The SSL certificate is issued by GoDaddy and at "security" page of the site there is "GoDaddy Secure Web Site" logo, which is vulnerable by itself, as I wrote in another my article in January 2010. In the article I draw attention to real purpose of SSL and 3-D Secure standards, from which risks they can protect and from which they can't. And also that the names of technologies "Verified by VISA" and "MasterCard SecureCode" are sounding by itself not what they are in reality, which confuse people and help such companies (which like to hide under security logos) to deceive people and to look "secure" at that. So to let people know real state of security of sites with such logos and with any security logos in the whole. And I mentioned about one recently hacked e-commerce site with Verified by VISA, MasterCard SecureCode and VeriSign Secured logos, which I found during my regular research of hacked sites (http://websecurity.com.ua/4878/). Which shows that sites which such security logos not only have holes, but also get hacked ;-). Plus recently I wrote about hacked site of EPS/processing system Chronopay (http://websecurity.com.ua/4881/). Which was hacked (in December), as it was looked like from defaced site, but owner claimed that it was domain hijacking - which in any case is not good for card processing system. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua